Merge pull request #548 from TheJumpCloud/SA-3724_radius_cert_case_se…

…nsitive SA-3724 Radius Certificate Utility - Match case-insensitive macOS usernames
TheJumpCloud · Dec 5, 2023 · bc257ba · bc257ba
2 parents 8c0fc0f + 2169801
commit bc257ba
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/scripts/automation/Radius/Changelog.md b/scripts/automation/Radius/Changelog.md
@@ -1,3 +1,19 @@
+## 1.0.7
+
+Release Date: December 1, 2023
+
+#### RELEASE NOTES
+
+```
+In macOS, it's possible for a user to define their username as `user1234` or `USER1234`. When JumpCloud takes of a user it'll perform a case insensive string comparison and take over the account that matches the username from JumpCloud.
+
+Commands executed by JumpCloud in macOS run as shell scripts `/bin/bash` by default, this shell does not perform case-insensitive string comparisons. This patch version of the Radius Certificate Utility addresses this limitation by explicitly changing the `bash` match patterns to be case-insensitive.
+```
+
+#### Bug Fixes:
+
+- Addressed a bug were users with differing casing (`user1234` vs `USER1234`) between the system and JumpCloud username
+
 ## 1.0.6
 
 Release Date: September 25, 2023

diff --git a/scripts/automation/Radius/Config.ps1 b/scripts/automation/Radius/Config.ps1
@@ -37,7 +37,7 @@ $CertType = "UsernameCn"
 # Do not modify below
 ################################################################################
 
-$UserAgent_ModuleVersion = '1.0.6'
+$UserAgent_ModuleVersion = '1.0.7'
 $UserAgent_ModuleName = 'PasswordlessRadiusConfig'
 #Build the UserAgent string
 $UserAgent_ModuleName = "JumpCloud_$($UserAgent_ModuleName).PowerShellModule"

diff --git a/scripts/automation/Radius/Functions/Public/Distribute-UserCerts.ps1 b/scripts/automation/Radius/Functions/Public/Distribute-UserCerts.ps1
@@ -116,7 +116,14 @@ currentUser=`$(/usr/bin/stat -f%Su /dev/console)
 currentUserUID=`$(id -u "`$currentUser")
 currentCertSN="$($certHash.serial)"
 networkSsid="$($NETWORKSSID)"
-if [[ `$currentUser ==  $($user.localUsername) ]]; then
+# store orig case match value
+caseMatchOrigValue=`$(shopt -p nocasematch; true)
+# set to case-insensitive
+shopt -s nocasematch
+userCompare="$($user.localUsername)"
+if [[ "`$currentUser" ==  "`$userCompare" ]]; then
+    # restore case match type
+    `$caseMatchOrigValue
     certs=`$(security find-certificate -a -$($macCertSearch) "$($certIdentifier)" -Z /Users/$($user.localUsername)/Library/Keychains/login.keychain)
     regexSHA='SHA-1 hash: ([0-9A-F]{5,40})'
     regexSN='"snbr"<blob>=0x([0-9A-F]{5,40})'
@@ -213,6 +220,8 @@ if [[ `$currentUser ==  $($user.localUsername) ]]; then
         rm "/tmp/$($user.userName)-client-signed.pfx"
     fi
 else
+    # restore case match type
+    `$caseMatchOrigValue
     echo "Current logged in user, `$currentUser, does not match expected certificate user. Please ensure $($user.localUsername) is signed in and retry"
     # Finally clean up files
     if [[ -f "/tmp/$($user.userName)-client-signed.zip" ]]; then